A China-linked advanced persistent threat (APT) actor known as UNC3886 successfully breached all four of Singapore’s major telecommunications operators—Singtel, StarHub, M1, and Simba Telecom—in a sophisticated cyber espionage campaign disclosed in 2025. While attackers gained access to internal systems, authorities confirmed that no services were disrupted and sensitive customer data was not accessed.

Attack Summary

What Happened?

According to Singapore’s Cyber Security Agency (CSA) and Infocomm Media Development Authority (IMDA), UNC3886 conducted a targeted, well-planned campaign against the country’s telecommunications infrastructure, penetrating internal systems of all four major operators.

The attackers used advanced tactics, including:

• Leveraging a zero-day exploit to bypass perimeter firewalls and initial defenses.

• Deploying rootkits to maintain persistence and avoid detection.

• Exfiltrating a limited amount of technical data that could support further operations.

No personal customer information, such as subscriber identities or account records, was accessed or stolen, and there were no reported outages of telecommunication services during the breach.

Operation Cyber Guardian & Response

Once the suspicious activity was detected by the telcos, they reported it to national authorities, prompting the launch of Operation Cyber Guardian—Singapore’s largest coordinated cyber defense effort to date.

The response effort included:

• Over 100 personnel from multiple government agencies and private partners.

• Immediate closure of attacker access points and expansions in monitoring across critical infrastructure sectors.

• Enhanced defensive configurations to protect telecom systems against further compromise.

Despite the severity of the incident, the coordinated defence successfully contained the adversary’s foothold and prevented escalation into broader critical infrastructure, such as banking, transport, and healthcare systems.

Who Is UNC3886?

UNC3886 is tracked by cybersecurity firms like Mandiant and has been active since at least 2021, focusing on intelligence collection against government, telecommunications, and technology firms globally. The group’s operations share overlapping tactics with other China-aligned campaigns that have targeted telecom infrastructure in the U.S., Canada, and Asia.

While Singapore authorities have stopped short of publicly attributing the group’s actions to any nation officially, multiple external cybersecurity reports describe UNC3886 as a China-nexus espionage actor.

Key Takeaways for Critical Infrastructure Defenders

1. Advanced Threat Actors Target Critical Sectors: APT groups are increasingly focused on telecom and essential infrastructure, often for long-term espionage, not just immediate disruption.

2. Zero-Day Risks Remain High: Unknown vulnerabilities continue to be one of the most significant vectors for initial access and persistent compromise.

3. Rapid Reporting Matters: Early detection and reporting by private sector operators enabled Singapore’s authorities to contain this breach broadly.

4. Coordinated Defense Yields Results: Cross-agency collaboration, robust monitoring, and containment operations are essential to mitigate these sophisticated intrusions.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.